Microsoft to fix 'novel bug class' discovered by Google engineer

Windows 10 19H1, the next major iteration of the Windows operating system, will include a series of fixes for what Microsoft has called a “novel bug class,” and which has been discovered by a Google security engineer.

The patches do not only fix some Windows kernel code to prevent potential attacks, but they also mark the end of an almost two-year collaboration between the Google and Microsoft security teams, a rare event in itself.

What is this “novel bug class”

All of this began back in 2017 when James Forshaw, a security researcher part of Google’s Project Zero elite bug hunting team found a new way to attack Windows systems.

Froshaw discovered that a malicious app running on a Windows system with normal permissions (user mode), could tap into a local driver and Windows I/O Manager (a subsystem that facilitates communications between drivers and the Windows kernel) to run malicious commands with the highest Windows privileges (kernel mode).

What Forshaw discovered was a novel way to execute an elevation of privilege (EoP) attack that hadn’t been documented before.

But despite finding some what security researchers later called “neat” bugs, Forshaw eventually hit a wall when he couldn’t reproduce a successful attack.

The reason was that Forshaw didn’t have intimate knowledge of how the Windows I/O Manager subsystem worked, and how he could pair up driver “initiator” functions and kernel “receiver” functions for a complete attack [see image below].

Image: Microsoft

The collaboration was essential

To go around this issue, Forshaw contacted the only ones who could help –Microsoft’s team of engineers.

“This led to meetings with various teams at [the] Bluehat 2017 [security conference] in Redmond where a plan was formed for Microsoft to use their source code access to discover the extent of this bug class in the Windows kernel and driver code base,” Forshaw said.

Microsoft picked up Forshaw’s research where he left off, and tracked down what was vulnerable and what needed to be patched.

During its research, the Microsoft team found that all Windows versions after released since Windows XP were vulnerable to Forshaw’s EoP attack routine.

Steven Hunter, the Microsoft engineer who led this charge, said that the Windows code features a total of 11 potential initiators and 16 potential receivers that could be abused for attacks.

The good news –none of these 11 initiators and 16 receiver functions could be interconnect for an attack that abuses one of the default drivers that ship with Windows installations.

The bad news –custom drivers may facilitate attacks that the Windows team was not able to investigate during its research.

For this reason, some patches will ship with the next Windows 10 version, scheduled for release in a few weeks, to prevent any potential attacks.

“Most of these fixes are on track for release in Windows 10 19H1, with a few held back for further compatibility testing and/or because the component they exist in is deprecated and disabled by default,” Hunter said. “We urge all kernel driver developers to review their code to ensure correct processing of IRP requests and defensive use of the file open APIs.”

More technical details about this novel EoP attack method are available in Forshaw and Hunter‘s reports.

The cooperation between the Microsoft Security Response Center (MSRC) and Google’s Project Zero team also surprised many in the infosec community because at one point in the past, these two teams had a small feud and were known to publicly disclose unpatched flaws in each other’s products.

The Microsoft and Project Zero folks may have the occasional disclosure beef, but this is the kind of collaboration that happens all the time, for the greater good. pic.twitter.com/HmGQUX1OfF

Awesome collaboration between @tiraniddo & @_strohu on hunting for a class of Windows kernel driver vulns. This is what happens when you combine a logic-flaw-finding expert, an MSRC security engineer, and a powerful static analysis tool like Semmle 🙂 https://t.co/VWVCw5mTml